As a matter of fact, the Ukrainian Crisis has emphasized the importance of the crisis management skills in the state level.
On May 19, 2021, the recently established EU CyCLONe (Cyber Crises Liaison Organisation Network) organized the ‘CySOPEx 2021’ to test for the first time the procedures for prompt and effective cyber crisis management in the EU to face large-scale, cross border cyber-attacks[1]. The goals of the exercise were to increase the overall competences to train on situational awareness and information sharing processes; improve understanding of roles and responsibilities; identify improvements and/or potential gaps in the standardized way of responding to incidents and crises and test cooperation tools and exercise infrastructures provided by ENISA.
As a matter of fact, the Ukrainian Crisis has emphasized the importance of the crisis management skills in the state level. However, Crisis Management are relevant to the private sector too. In May 2017 and in September 2018, British Airways experienced severe crisis[2]. The first cyber-attack was an IT failure paralyzed its ability to operate for hours. Flights were cancelled, and some 75,000 passengers were stranded. The damage became even worse because its management failed to manage the crisis and minimize its effects. As a result, it had to allocate some EUR 150 million to cover potential damages.
Cyber Crisis Management Capabilities
Building organizational capabilities to handle a computer and cyber crisis is a crucial component in the overall construction of every organization’s defensive and business continuity capabilities. In every crisis, the main challenge is to understand the situation and response accordingly. First, we will need to understand the characteristics a crisis and how crisis develops.
Routine activity is the typical functional situation of any company or organization. Normally a crisis will develop from this routine situation. In most cases understanding that the organization is in a cyber crisis develops gradually from various warning signs. A call center is unable to operate software or initiate communications; Airport check-in desk is unable to upload passengers’ data and so on. Each of the isolated event do not necessarily indicates a cyber crisis. It may very well be a local glitch in the IT system. However, when accumulated into a single integrated picture, might signal that something is going on.
Carl von Clausewitz, the famous war philosopher of the 19th century, noted once that “war is the realm of uncertainty”[3]. This is also true for crises in cyberspace because the uncertainty—the “fog of war” —and the difficulty in formulating an understanding of the situation, and to derive decisions and implementing actions that can resolve the crisis and generate a quick recovery.
Develop Capabilities Before the Crisis
Categorizing three-time frames may help us develop our cyber crisis strategy.
The first would be “Before the Crisis” – Routine time operation and the beginning of alarming indicators. The second “During a Cyber Crisis” – Managing the crisis, hopefully to stop its consequences and recover. The third is “Lessons Learned” – Initiation a learning process and the lessons learned and a working plan to improve readiness for the next crisis.
At the preliminary phase, organizations should invest resources in planning how to face a crisis. Any organization should first determine a set of minimal functional requirements. For example, which relates to determining measures for reasonable downtime and the levels of functioning required for all the computerized systems of the organization. This analysis is usually referred to as business impact analysis (BIA). By using this tool, it is possible to analyze and determine the scope of functioning of each system and the time needed restore it to full operational mode. This reflects on the resources spent during the crisis. Some organizations may afford to suspend contact with customers for a few hours. On the other hand, banks that suspending their online service, or an airline canceling flights, liable to cause financial losses and damage to their reputation. As such, the BIA governs the development of the organization’s cyber crisis procedures
Conclusion
Crisis management training and exercises should be the top priority. Learning through exercises is the most effective way to improve readiness, especially using Red Team service. It exposes weaknesses, potential failures, and enhances common language among managers and employees. Exercises also demonstrate the risks of legal and regulatory exposure, enabling to set mitigations. An important added value is the active participation of management and board members in the exercise.
Developing these capabilities will undoubtedly lead to more effective handling and managing of any crisis as well as better outcomes for the organization and its cyber strategy.
[1] https://www.enisa.europa.eu/news/enisa-news/eu-member-states-test-rapid-cyber-crisis-management
[2] https://www.euractiv.com/section/cybersecurity/news/british-airways-hacking-data-breach-strikes-thousands-of-customers/
[3] Carl von Clausewitz, On War, trans. Michael Howard and Peter Paret, vol. 1, Princeton University Press, 1976, p. 101
English (US)